@indigoai-us/hq-cloud 6.0.1 → 6.0.3

package/scripts/replace-rescue.sh

@@ -467,12 +467,20 @@ fi
 TMPDIR="$(mktemp -d -t hq-replace-rescue-XXXXXX)"
 trap 'rm -rf "$TMPDIR"' EXIT
 
-# Append-only record of every file the walk MOVES (rescue) or DELETES
+# Append-only record of every file the walk MOVES (rescue) or LEAVES in place
 # (unchanged). Folded into the snapshot's RECOVERY.md manifest after the run
 # so a user can see exactly what changed and restore any single file.
 RESCUE_LOG="$TMPDIR/rescue-actions.log"
 : > "$RESCUE_LOG"
 
+# Paths the walk classified UNCHANGED (left in place). Fed to the overlay as an
+# --exclude-from so rsync never touches them — preserving their on-disk mtime
+# exactly (Layer 1). rsync's -t re-stamps even a checksum-skipped file to the
+# source's time, so excluding is the only way to leave the local mtime truly
+# untouched.
+UNCHANGED_LIST="$TMPDIR/unchanged-paths.txt"
+: > "$UNCHANGED_LIST"
+
 # Build the clone URL. If GH_TOKEN is set in the environment, inject it as
 # the basic-auth user so `git clone` can access private staging repos
 # without an interactive credential prompt. This is the form the GitHub
@@ -518,6 +526,51 @@ fi
 SRC_SHA="$(cd "$TMPDIR/src" && git rev-parse HEAD)"
 echo "==> Source SHA: $SRC_SHA"
 
+# --- Restore file mtimes from git history (mtime-preservation fix) -----------
+#
+# A bare `git clone`/checkout stamps every working-tree file with clone-time
+# (git stores no per-file mtimes), so the `rsync -a` overlay below would reset
+# every rescued file's mtime to "whenever rescue ran" — collapsing all history
+# onto one instant and breaking "newer-than" comparisons, mtime-keyed caches,
+# and reproducible state across machines. This is the rescue-path analogue of
+# the 5.37.0 `hq-mtime` fix on the sync/S3 path, sourced from git commit times
+# because the rescue source is a clone, not the vault.
+#
+# Single history walk, newest-first: the first commit a path appears in is its
+# last-modifying commit, and that commit's committer-date becomes the file's
+# mtime. Applied via perl's utime() — portable across macOS/Linux, unlike
+# `touch -d @epoch` (GNU-only). Symlinks are skipped (utime follows the link
+# to its target). Deleted-then-readded paths resolve correctly: newest wins.
+restore_mtimes_from_git() {
+  local src="$1"
+  if ! command -v perl >/dev/null 2>&1; then
+    echo "    (perl unavailable; skipping mtime restore — overlay mtimes stay clone-time)"
+    return 0
+  fi
+
+  # Correct per-file granularity needs full history. A shallow clone knows
+  # only the tip commit, so every file would collapse to the release time;
+  # deepen (blob:none keeps it to cheap commit/tree metadata) when shallow.
+  if [ "$(git -C "$src" rev-parse --is-shallow-repository 2>/dev/null)" = "true" ]; then
+    echo "==> Deepening clone for per-file mtime history (blob:none) ..."
+    git -C "$src" fetch --unshallow --filter=blob:none >/dev/null 2>&1 \
+      || echo "    (unshallow failed; mtimes fall back to release tip-commit time)"
+  fi
+
+  echo "==> Restoring file mtimes from git commit history ..."
+  git -C "$src" log --no-renames --pretty=format:'C:%ct' --name-only --diff-filter=ACMR 2>/dev/null \
+    | awk '/^C:/ { ts = substr($0, 3); next } NF { if (!seen[$0]++) print ts "\t" $0 }' \
+    | SRC="$src" perl -ne '
+        chomp;
+        my ($ts, $rel) = split(/\t/, $_, 2);
+        next unless defined $rel and length $rel;
+        my $f = "$ENV{SRC}/$rel";
+        next if -l $f or not -f $f;
+        utime $ts, $ts, $f;
+      ' || true
+}
+restore_mtimes_from_git "$TMPDIR/src"
+
 # --- Resolve the history floor (last-sync SHA reachable in clone?) ----------
 #
 # The v0.1.104 algorithm drops the path → all-time-SHA index in favour of
@@ -1090,13 +1143,30 @@ process_one() {
       fi
     fi
   else
-    # UNCHANGED — overlay will replace cleanly.
+    # user_edited=0: local matches the floor baseline (user didn't touch it).
+    # That does NOT mean it matches upstream HEAD — upstream may have advanced
+    # or removed it. Split on byte-equality to the HEAD version the overlay
+    # would write ($TMPDIR/src is checked out at HEAD):
+    #   identical to HEAD -> overlay is a content no-op; leave it untouched and
+    #     protect it from the overlay so its mtime is preserved (Layer 1).
+    #   differs from HEAD  -> keep the original delete semantics: rm now; the
+    #     no-delete overlay re-lays it from source (with a git-commit mtime)
+    #     when still upstream, or leaves it gone when upstream removed it.
     COUNT_UNCHANGED=$((COUNT_UNCHANGED + 1))
-    if [ "$DRY_RUN" = "1" ]; then
-      echo "    unchanged (delete + replace): $rel"
+    if cmp -s "$local_path" "$TMPDIR/src/$rel" 2>/dev/null; then
+      if [ "$DRY_RUN" = "1" ]; then
+        echo "    unchanged (preserved in place): $rel"
+      else
+        printf '/%s\n' "$rel" >> "$UNCHANGED_LIST"
+        printf 'unchanged\t%s\t(identical to upstream; left in place, mtime preserved)\n' "$rel" >> "$RESCUE_LOG" 2>/dev/null || true
+      fi
     else
-      rm -f "$local_path"
-      printf 'deleted\t%s\t(unchanged vs baseline; re-created by overlay)\n' "$rel" >> "$RESCUE_LOG" 2>/dev/null || true
+      if [ "$DRY_RUN" = "1" ]; then
+        echo "    unchanged (delete + replace): $rel"
+      else
+        rm -f "$local_path"
+        printf 'deleted\t%s\t(unchanged vs baseline; re-laid by overlay if still upstream)\n' "$rel" >> "$RESCUE_LOG" 2>/dev/null || true
+      fi
     fi
   fi
 }
@@ -1211,7 +1281,7 @@ if [ "$DRY_RUN" = "1" ]; then
   echo ""
   echo "==> DRY RUN classification summary:"
   echo "  user-only (leave in place):       $COUNT_USER_ONLY files"
-  echo "  unchanged (delete + replace):     $COUNT_UNCHANGED files"
+  echo "  unchanged (preserved/re-laid):    $COUNT_UNCHANGED files"
   echo "  user-edit (rescue / diff-append): $COUNT_USER_EDIT files"
   echo "  user-edit (conflict quarantine):  $COUNT_USER_CONFLICT files"
   echo "  user-edit (overwrite-safe):       $COUNT_USER_OVERWRITE files"
@@ -1270,7 +1340,7 @@ for sp in "${PRESERVE_SUBPATHS[@]+"${PRESERVE_SUBPATHS[@]}"}"; do
 done
 
 echo ""
-echo "==> Walk complete (user-only: $COUNT_USER_ONLY, unchanged-deleted: $COUNT_UNCHANGED, user-edit-rescued: $COUNT_USER_EDIT, conflict-quarantined: $COUNT_USER_CONFLICT, overwrite-safe: $COUNT_USER_OVERWRITE, cloud-symlink-reconciled: $COUNT_CLOUD_SYMLINK_RECONCILED, symlinks-dropped: $COUNT_SYMLINK_DROPPED)"
+echo "==> Walk complete (user-only: $COUNT_USER_ONLY, unchanged: $COUNT_UNCHANGED, user-edit-rescued: $COUNT_USER_EDIT, conflict-quarantined: $COUNT_USER_CONFLICT, overwrite-safe: $COUNT_USER_OVERWRITE, cloud-symlink-reconciled: $COUNT_CLOUD_SYMLINK_RECONCILED, symlinks-dropped: $COUNT_SYMLINK_DROPPED)"
 # Note: v0.1.103-and-earlier did a wholesale `rm -rf` of every wipe-set
 # top-level entry here. The new walk_and_process does per-file deletion
 # (only files that exist in upstream + are unchanged are deleted; user-only
@@ -1279,7 +1349,16 @@ echo "==> Walk complete (user-only: $COUNT_USER_ONLY, unchanged-deleted: $COUNT_
 # the walk left alone.
 
 echo "==> Overlaying source onto HQ root ..."
-rsync -a "${RSYNC_EXCLUDES[@]}" "$TMPDIR/src/" "$HQ_ROOT/"
+# Protect UNCHANGED (identical-to-HEAD) files: feed their paths as an
+# --exclude-from (FIRST in the filter chain, so it wins) so rsync never touches
+# them — -a's -t would otherwise re-stamp their mtime to the source's time, and
+# excluding is the only way to leave the local mtime truly untouched (Layer 1).
+# Every other file under the wipe set was already rm'd by the walk, so the
+# overlay writes into an absent slot and -a carries the git-commit mtimes
+# restore_mtimes_from_git stamped onto the source.
+OVERLAY_PROTECT=()
+[ -s "$UNCHANGED_LIST" ] && OVERLAY_PROTECT=( --exclude-from="$UNCHANGED_LIST" )
+rsync -a "${OVERLAY_PROTECT[@]+"${OVERLAY_PROTECT[@]}"}" "${RSYNC_EXCLUDES[@]}" "$TMPDIR/src/" "$HQ_ROOT/"
 
 if [ -s "$TMPDIR/preserve.map" ]; then
   echo "==> Restoring preserved sub-paths ..."
@@ -1355,7 +1434,7 @@ done
 echo ""
 echo "==> Classification:"
 echo "    user-only (left in place):        $COUNT_USER_ONLY files"
-echo "    unchanged (deleted + overlaid):   $COUNT_UNCHANGED files"
+echo "    unchanged (preserved/re-laid):    $COUNT_UNCHANGED files"
 echo "    user-edits (rescued):             $COUNT_USER_EDIT files"
 echo "    user-edits (conflict quarantine): $COUNT_USER_CONFLICT files"
 echo "    user-edits (overwrite-safe):      $COUNT_USER_OVERWRITE files"
@@ -1390,7 +1469,7 @@ if [ "$DO_BACKUP" = "1" ] && [ -n "$BACKUP_DIR" ] && [ -d "$BACKUP_DIR" ]; then
     echo ""
     echo "## What the rescue did"
     echo "  user-only  (left in place):              $COUNT_USER_ONLY"
-    echo "  unchanged  (deleted + re-overlaid):      $COUNT_UNCHANGED"
+    echo "  unchanged  (preserved/re-laid):          $COUNT_UNCHANGED"
     echo "  user-edit  (rescued into personal/):     $COUNT_USER_EDIT"
     echo "  user-edit  (conflict quarantine):        $COUNT_USER_CONFLICT"
     echo "  user-edit  (overwrite-safe):             $COUNT_USER_OVERWRITE"

package/src/cli/rescue-drift-reconcile.test.ts

@@ -150,7 +150,7 @@ exec ${JSON.stringify(realGit)} "$@"
     expect(out).toContain("user-edit (rescue): core/edited.md  ->  personal/edited.md");
 
     // Untouched file classified UNCHANGED.
-    expect(out).toContain("unchanged (delete + replace): core/keep.md");
+    expect(out).toContain("unchanged (preserved in place): core/keep.md");
 
     // Summary reflects exactly one reconcile.
     expect(out).toMatch(/drift reconciled \(== upstream\):\s+1 files/);

package/src/cli/rescue-mtime-preserve.test.ts

@@ -0,0 +1,182 @@
+/**
+ * Integration regression for the rescue mtime-preservation fix in
+ * scripts/replace-rescue.sh.
+ *
+ * The bug: rescue rebuilds the tree by `git clone` + `rsync -a`. A git
+ * checkout stamps every file with clone-time (git stores no per-file mtimes),
+ * so the overlay reset EVERY rescued file's mtime to "whenever rescue ran" —
+ * collapsing real history onto one instant (the exact fingerprint that flagged
+ * this: hundreds of files sharing one mtime, mtime == ctime == birth).
+ *
+ * The fix has three parts, all asserted below:
+ *   - Layer 1: UNCHANGED files are left in place; the --checksum overlay skips
+ *     them, so their existing mtime survives.
+ *   - Layer 2: files the overlay DOES write (upstream-changed, brand-new) get
+ *     the git committer-date of their last-modifying commit, not wall-clock.
+ *   - Layer 3: full history is used (history_floor mode clones full history;
+ *     the shallow path unshallows) so per-file commit times are real.
+ *
+ * The script clones from GitHub, so we shim `git clone` to a local fixture
+ * (same technique as rescue-drift-reconcile.test.ts) and run for real
+ * (non-dry-run, --no-backup) so the overlay actually lays files down.
+ */
+import { describe, it, expect, beforeAll, afterAll } from "vitest";
+import { execFileSync, spawnSync } from "child_process";
+import * as fs from "fs";
+import * as os from "os";
+import * as path from "path";
+
+const RESCUE_SCRIPT = path.resolve(process.cwd(), "scripts/replace-rescue.sh");
+
+function has(bin: string, ...args: string[]): boolean {
+  try {
+    execFileSync(bin, args, { stdio: "ignore" });
+    return true;
+  } catch {
+    return false;
+  }
+}
+
+// Needs git (fixture + clone), rsync (overlay), and perl (the utime pass).
+const toolsAvailable =
+  has("git", "--version") && has("rsync", "--version") && has("perl", "-e", "1");
+
+// Fixed commit epochs so assertions are exact and machine-independent.
+const FLOOR_EPOCH = 1577836800; // 2020-01-01T00:00:00Z
+const HEAD_EPOCH = 1609459200; // 2021-01-01T00:00:00Z
+const KEEP_PRESET_EPOCH = 1546300800; // 2019-01-01T00:00:00Z (local, pre-rescue)
+
+describe.skipIf(!toolsAvailable)("rescue preserves mtimes (no clone-time flattening)", () => {
+  let workDir: string;
+  let upstream: string;
+  let hqRoot: string;
+  let shimDir: string;
+  let floorSha: string;
+  let env: NodeJS.ProcessEnv;
+
+  const gitAt = (cwd: string, epoch: number, ...args: string[]) =>
+    execFileSync("git", args, {
+      cwd,
+      stdio: ["ignore", "pipe", "pipe"],
+      env: {
+        ...process.env,
+        GIT_AUTHOR_NAME: "t",
+        GIT_AUTHOR_EMAIL: "t@t",
+        GIT_COMMITTER_NAME: "t",
+        GIT_COMMITTER_EMAIL: "t@t",
+        GIT_AUTHOR_DATE: `${epoch} +0000`,
+        GIT_COMMITTER_DATE: `${epoch} +0000`,
+      },
+    })
+      .toString()
+      .trim();
+
+  const mtimeSec = (p: string) => Math.floor(fs.statSync(p).mtimeMs / 1000);
+
+  beforeAll(() => {
+    workDir = fs.mkdtempSync(path.join(os.tmpdir(), "hq-rescue-mtime-"));
+
+    // --- "upstream" repo ----------------------------------------------------
+    //   floor commit (2020): x.md=v1, edited.md=base, keep.md=same
+    //   HEAD  commit (2021): x.md=v2 (changed) + new.md added; keep.md untouched
+    upstream = path.join(workDir, "upstream");
+    fs.mkdirSync(path.join(upstream, "core"), { recursive: true });
+    gitAt(workDir, FLOOR_EPOCH, "init", "-b", "main", "upstream");
+    fs.writeFileSync(path.join(upstream, "core/x.md"), "v1\n");
+    fs.writeFileSync(path.join(upstream, "core/edited.md"), "base\n");
+    fs.writeFileSync(path.join(upstream, "core/keep.md"), "same\n");
+    gitAt(upstream, FLOOR_EPOCH, "add", "-A");
+    gitAt(upstream, FLOOR_EPOCH, "commit", "-m", "floor");
+    floorSha = gitAt(upstream, FLOOR_EPOCH, "rev-parse", "HEAD");
+    fs.writeFileSync(path.join(upstream, "core/x.md"), "v2\n");
+    fs.writeFileSync(path.join(upstream, "core/new.md"), "fresh\n");
+    gitAt(upstream, HEAD_EPOCH, "add", "-A");
+    gitAt(upstream, HEAD_EPOCH, "commit", "-m", "head");
+
+    // --- local HQ root being rescued ----------------------------------------
+    hqRoot = path.join(workDir, "hq");
+    fs.mkdirSync(path.join(hqRoot, "core"), { recursive: true });
+    fs.mkdirSync(path.join(hqRoot, "personal"), { recursive: true });
+    fs.mkdirSync(path.join(hqRoot, "companies"), { recursive: true });
+    // Unchanged vs floor but upstream advanced v1 -> v2: overlay rewrites it.
+    fs.writeFileSync(path.join(hqRoot, "core/x.md"), "v1\n");
+    // User-edited: rescued to personal/ (not asserted here).
+    fs.writeFileSync(path.join(hqRoot, "core/edited.md"), "MINE\n");
+    // Identical to upstream HEAD: UNCHANGED -> left in place. Pre-stamp an old
+    // mtime that must survive the rescue.
+    const keep = path.join(hqRoot, "core/keep.md");
+    fs.writeFileSync(keep, "same\n");
+    fs.utimesSync(keep, KEEP_PRESET_EPOCH, KEEP_PRESET_EPOCH);
+
+    // --- git shim: redirect `git clone <github-url>` to the local fixture ----
+    const realGit = execFileSync("bash", ["-lc", "command -v git"]).toString().trim() || "/usr/bin/git";
+    shimDir = path.join(workDir, "shim");
+    fs.mkdirSync(shimDir, { recursive: true });
+    const shim = `#!/usr/bin/env bash
+if [ "$1" = "clone" ]; then
+  args=()
+  for a in "$@"; do
+    case "$a" in
+      https://github.com/*) a=${JSON.stringify(upstream)} ;;
+    esac
+    args+=("$a")
+  done
+  exec ${JSON.stringify(realGit)} "\${args[@]}"
+fi
+exec ${JSON.stringify(realGit)} "$@"
+`;
+    fs.writeFileSync(path.join(shimDir, "git"), shim, { mode: 0o755 });
+    env = { ...process.env, PATH: `${shimDir}:${process.env.PATH ?? ""}` };
+
+    // --- run the real rescue (non-dry-run) ----------------------------------
+    const r = spawnSync(
+      "bash",
+      [
+        RESCUE_SCRIPT,
+        "--hq-root", hqRoot,
+        "--source", "test/repo",
+        "--ref", "main",
+        "--floor-sha", floorSha,
+        "--yes",
+        "--no-backup",
+      ],
+      { env, encoding: "utf-8" },
+    );
+    // Surface script output on failure for debuggability.
+    if (r.status !== 0) {
+      throw new Error(`rescue failed (${r.status}):\n${r.stdout}\n${r.stderr}`);
+    }
+  });
+
+  afterAll(() => {
+    if (workDir) fs.rmSync(workDir, { recursive: true, force: true });
+  });
+
+  it("rewrites an upstream-changed file with its git commit mtime (not now)", () => {
+    const x = path.join(hqRoot, "core/x.md");
+    expect(fs.readFileSync(x, "utf-8")).toBe("v2\n");
+    expect(mtimeSec(x)).toBe(HEAD_EPOCH);
+  });
+
+  it("creates a brand-new upstream file with its git commit mtime", () => {
+    const n = path.join(hqRoot, "core/new.md");
+    expect(fs.existsSync(n)).toBe(true);
+    expect(mtimeSec(n)).toBe(HEAD_EPOCH);
+  });
+
+  it("leaves an UNCHANGED file in place, preserving its existing mtime (Layer 1)", () => {
+    const keep = path.join(hqRoot, "core/keep.md");
+    expect(fs.readFileSync(keep, "utf-8")).toBe("same\n");
+    expect(mtimeSec(keep)).toBe(KEEP_PRESET_EPOCH);
+  });
+
+  it("never stamps an overlaid file with wall-clock-now (the original bug)", () => {
+    const now = Math.floor(Date.now() / 1000);
+    for (const rel of ["core/x.md", "core/new.md", "core/keep.md"]) {
+      const age = now - mtimeSec(path.join(hqRoot, rel));
+      // Every asserted file predates the run by years; a clone-time stamp
+      // would be within seconds of now.
+      expect(age, `${rel} mtime looks like wall-clock-now`).toBeGreaterThan(60);
+    }
+  });
+});

package/src/cli/share.test.ts

@@ -1132,14 +1132,12 @@ describe("share", () => {
           }),
         );
 
-        // Currency-gated HEADs the candidate; return an etag matching the
-        // journal so the entry resolves as "remote still current → safe to
-        // tombstone."
-        vi.mocked(headRemoteFile).mockResolvedValueOnce({
-          lastModified: new Date(),
-          etag: '"personal-vault-drift-etag"',
-          size: 1054,
-        });
+        // (Pre-6.0.2: currency-gated would have HEADed the candidate; the
+        // mockResolvedValueOnce that lived here is now redundant because the
+        // vault-litter drain bypasses HEAD entirely for `.drift-` markers.
+        // Leaving the mock here would queue an unconsumed return value and
+        // poison the next test's HEAD call — removed so the assertion above
+        // verifies the litter path, not the etag path.)
 
         const personalCtx = makeEntityContext({
           uid: "prs_01HASSAANTESTUSER",
@@ -1970,14 +1968,23 @@ describe("share", () => {
     expect(uploadFile).not.toHaveBeenCalled();
   });
 
-  it("conflict-mirror exclusion: journaled mirror with local-missing is NOT swept by delete plan", async () => {
+  it("vault-litter drain (6.0.2): journaled `.conflict-*` mirror with local-missing IS swept by the delete plan", async () => {
+    // Updated semantics (6.0.2): the existing-litter state — a conflict
+    // mirror that leaked into the journal from a prior buggy upload and was
+    // subsequently deleted locally — used to survive every sync because the
+    // `isEphemeralPath` skip in computeDeletePlan was wired to drop it
+    // before tombstoning. The deferred "dedicated reconcile command" the
+    // doc-comment promised never materialized, and the litter accumulated
+    // until users noticed it (e.g. the May-27 `personal/.obsidian/*.drift-*`
+    // pair on the EC2 outpost). The fix: drain unconditionally via the
+    // litter bucket — bypass shouldSync, ephemeral-skip, policy, and the
+    // bulk-asymmetry breaker. By construction litter is not user content
+    // (the EPHEMERAL_PATH_PATTERN / DRIFT_PATH_PATTERN regexes are precise
+    // enough that a false-positive on a real user filename is vanishingly
+    // unlikely), so the absence of those gates is the correct behavior.
     const companyRoot = path.join(tmpDir, "companies", "acme");
     fs.mkdirSync(companyRoot, { recursive: true });
-    // Simulate the existing-litter state: a conflict mirror that leaked
-    // into the journal in a prior buggy version. Locally missing (user
-    // already deleted it). The regular delete plan must NOT issue a
-    // DeleteObject — that's the dedicated reconcile command's job, and
-    // a sync should not accidentally race a user reviewing the mirror.
+
     const journalPath = path.join(stateDir, "sync-journal.acme.json");
     fs.writeFileSync(
       journalPath,
@@ -1999,7 +2006,10 @@ describe("share", () => {
       }),
     );
 
-    // HEAD needed for the non-mirror entry under currency-gated.
+    // HEAD needed for the non-mirror entry under currency-gated. The litter
+    // drain bypasses HEAD by design — the etag check encodes a "remote
+    // hasn't drifted since I last synced" invariant that doesn't apply to
+    // never-should-have-been-there litter.
     vi.mocked(headRemoteFile).mockResolvedValue({
       lastModified: new Date(),
       etag: '"regular-etag"',
@@ -2015,19 +2025,81 @@ describe("share", () => {
       propagateDeletes: true,
     });
 
-    expect(result.filesDeleted).toBe(1);
-    expect(deleteRemoteFile).toHaveBeenCalledTimes(1);
+    // BOTH the regular file AND the conflict mirror tombstone in one pass.
+    expect(result.filesDeleted).toBe(2);
+    expect(deleteRemoteFile).toHaveBeenCalledTimes(2);
     expect(deleteRemoteFile).toHaveBeenCalledWith(expect.anything(), "regular.md");
-    expect(deleteRemoteFile).not.toHaveBeenCalledWith(
+    expect(deleteRemoteFile).toHaveBeenCalledWith(
       expect.anything(),
-      expect.stringContaining("conflict-"),
+      "CLAUDE.md.conflict-2026-05-13T19-40-40Z-e5797a.md",
     );
-    // Mirror's journal entry survives — reconcile command (separate skill)
-    // sweeps it once the user explicitly opts in.
+    // Both journal entries are removed by the delete loop's removeEntry call.
     const journal = JSON.parse(fs.readFileSync(journalPath, "utf-8"));
     expect(
       journal.files["CLAUDE.md.conflict-2026-05-13T19-40-40Z-e5797a.md"],
-    ).toBeDefined();
+    ).toBeUndefined();
+    expect(journal.files["regular.md"]).toBeUndefined();
+  });
+
+  it("vault-litter drain (6.0.2): `.drift-<unixts>-<pid>` rescue markers drain regardless of personal-vault exclusion path (the live obsidian case)", async () => {
+    // The exact failure mode that motivated the fix: a rescue-overlay
+    // `.drift-` marker sitting under a personal-vault default exclusion
+    // (`.obsidian/**`) survives every sync because `shouldSync` rejects
+    // the parent path before the delete plan ever considers the entry.
+    // The litter bypass routes such keys around shouldSync directly into
+    // `litterToDelete`.
+    const stateDirPersonal = fs.mkdtempSync(
+      path.join(os.tmpdir(), "hq-state-prs-drift-"),
+    );
+    process.env.HQ_STATE_DIR = stateDirPersonal;
+    try {
+      const journalPath = path.join(
+        stateDirPersonal,
+        "sync-journal.__hq_personal_vault__.json",
+      );
+      fs.writeFileSync(
+        journalPath,
+        JSON.stringify({
+          version: "1",
+          lastSync: new Date().toISOString(),
+          files: {
+            "personal/.obsidian/graph.json.drift-1779863862-42519": {
+              hash: "h", size: 1054, syncedAt: new Date().toISOString(),
+              direction: "down",
+              remoteEtag: "obsidian-drift-etag",
+            },
+          },
+        }),
+      );
+
+      const personalCtx = makeEntityContext({
+        uid: "prs_01HASSAANTESTUSER",
+        slug: "__hq_personal_vault__",
+        bucketName: "hq-vault-prs-01HASSAANTESTUSER",
+      });
+
+      const result = await share({
+        paths: [tmpDir],
+        entityContext: personalCtx,
+        hqRoot: tmpDir,
+        personalMode: true,
+        skipUnchanged: true,
+        propagateDeletes: true,
+      });
+
+      expect(result.filesDeleted).toBe(1);
+      expect(deleteRemoteFile).toHaveBeenCalledWith(
+        expect.anything(),
+        "personal/.obsidian/graph.json.drift-1779863862-42519",
+      );
+      const journal = JSON.parse(fs.readFileSync(journalPath, "utf-8"));
+      expect(
+        journal.files["personal/.obsidian/graph.json.drift-1779863862-42519"],
+      ).toBeUndefined();
+    } finally {
+      fs.rmSync(stateDirPersonal, { recursive: true, force: true });
+      delete process.env.HQ_STATE_DIR;
+    }
   });
 
   // ── personalMode ───────────────────────────────────────────────────────────

package/src/cli/share.ts

@@ -100,6 +100,64 @@ export const EPHEMERAL_PATH_PATTERN =
  * matches anywhere in the string, which is fine: the
  * `.conflict-<ISO>-<hash>.` token is unambiguous.
  */
+/**
+ * Rescue-overlay drift marker pattern. Written by `replace-rescue.sh`
+ * (`rescue_one` / `conflict_one`) when its rescue target already exists:
+ * `<orig>.drift-<unix-ts>-<pid>` — a collision suffix so the previous override
+ * is never silently overwritten. Distinct from `EPHEMERAL_PATH_PATTERN` —
+ * different producer (the rescue script vs the sync conflict-mirror path),
+ * different filename grammar (decimal timestamp + decimal pid vs ISO timestamp
+ * + hex machine hash). Like conflict mirrors, drift markers should never live
+ * in the vault; if a buggy past run uploaded one, the delete plan must be
+ * able to drain it regardless of where it sits.
+ */
+export const DRIFT_PATH_PATTERN = /\.drift-\d+-\d+$/;
+
+/**
+ * True iff the key is local-only ephemeral vault litter — a sync conflict
+ * mirror (`.conflict-<ISO>-<machine>[.ext]`) OR a rescue drift marker
+ * (`.drift-<unixts>-<pid>`).
+ *
+ * Used by `computeDeletePlan` to UNCONDITIONALLY drain existing vault litter,
+ * bypassing every "skip" gate that would otherwise trap it:
+ *
+ *   1. `shouldSync` — the personal-vault default exclusions (introduced in
+ *      5.25) reject paths like `**.obsidian/**`, `**.env`, `**output/**`,
+ *      `**node_modules/**`, etc. from BOTH the upload walk AND the delete
+ *      plan. That's correct for fresh content (don't upload), but it also
+ *      strands any litter already in the vault at those paths — `<orig>.drift`
+ *      / `<orig>.conflict` files inside an excluded parent get re-pulled
+ *      every sync and never tombstoned. The live obsidian case here:
+ *      `personal/.obsidian/graph.json.drift-1779863862-42519` survived every
+ *      sync for two weeks because `.obsidian` is excluded.
+ *   2. `isEphemeralPath` — the existing skip in `computeDeletePlan` was
+ *      designed to prevent a FRESH local `.conflict-*` mirror (written by the
+ *      pull leg's "keep" branch as a side-by-side comparison file) from being
+ *      miscounted as a delete candidate before the user has resolved the
+ *      conflict. That intent stands, but it accidentally protects EXISTING
+ *      cloud litter too. The fix: when the local file is already gone AND the
+ *      key matches the litter pattern, drain it; the "fresh mirror, hasn't
+ *      been resolved yet" case is impossible because that mirror would still
+ *      be on disk.
+ *   3. The policy gate — `owned-only`'s direction filter and
+ *      `currency-gated`'s etag check both encode user-content invariants
+ *      that don't apply to litter (a `.drift-…-PID` file has no meaningful
+ *      "ownership" or "freshness"; it's a stale local-overlay collision
+ *      marker, by construction).
+ *   4. The bulk-asymmetry circuit breaker — litter cleanup is intentional
+ *      ratchet-drain, not a "corrupt local mirror, refuse mass-delete"
+ *      signal. Litter is queued via a separate bucket the breaker never
+ *      sweeps.
+ *
+ * Together: a vault key matching either pattern always tombstones on the
+ * next push leg, regardless of personal-vault exclusions, ephemeral skip,
+ * policy, or breaker. Producer-side exclusions (upload walker + rescue
+ * script) close the ratchet on new litter; this drains the legacy buildup.
+ */
+export function isVaultLitterArtifact(p: string): boolean {
+  return EPHEMERAL_PATH_PATTERN.test(p) || DRIFT_PATH_PATTERN.test(p);
+}
+
 export function isEphemeralPath(p: string): boolean {
   return EPHEMERAL_PATH_PATTERN.test(p);
 }
@@ -1799,12 +1857,21 @@ async function computeDeletePlan(
   // and the journal-mutation buckets are already settled before any I/O.
   type HeadCandidate = { key: string; journalEtag: string };
   const headCandidates: HeadCandidate[] = [];
+  // Litter drain bucket — kept separate from `plan.toDelete` so the
+  // bulk-asymmetry breaker (which moves toDelete + headCandidates into
+  // `refusedStale` when it trips) can't sweep these out. See
+  // `isVaultLitterArtifact` for the patterns and rationale: by construction
+  // these aren't user content losses, so a high ratio of litter must not
+  // refuse the drain — that's the whole point of the bypass. Merged into
+  // `plan.toDelete` after the breaker check.
+  const litterToDelete: string[] = [];
   // Bulk-asymmetry tracking: count every in-scope journal entry (denominator)
   // and every entry that would have been a delete-candidate before the guard
   // (numerator). Numerator = headCandidates + owned-only/all toDelete picks +
   // legacy-no-etag refusals. We do NOT count "ENOENT but ignore-filtered" or
   // "ENOENT but ephemeral" — those drop out of the plan entirely on their own
-  // and don't reflect mirror-loss intent.
+  // and don't reflect mirror-loss intent — and litter drains (see above),
+  // which are intentional ratchet-cleanup, not mass-delete intent.
   let inScopeJournalEntries = 0;
   let bulkCandidatePicks = 0;
 
@@ -1834,9 +1901,28 @@ async function computeDeletePlan(
       }
     }
     if (presentLocally) continue;
+
+    // Vault-litter drain (6.0.2): conflict mirrors + rescue drift markers
+    // ALWAYS drain, bypassing `shouldSync` (which would skip them when the
+    // parent path is in personal-vault default exclusions like
+    // `.obsidian/**`), the `isEphemeralPath` skip (which protects FRESH
+    // local conflict mirrors but accidentally also protects existing vault
+    // litter), the policy gate (no meaningful ownership/freshness for
+    // litter), and the bulk-asymmetry breaker (intentional ratchet-drain,
+    // not corrupt-mirror mass-delete intent). See `isVaultLitterArtifact`
+    // for the full rationale and patterns. Queued via the separate
+    // `litterToDelete` bucket so the breaker can't sweep these out.
+    if (isVaultLitterArtifact(relativeKey)) {
+      litterToDelete.push(relativeKey);
+      continue;
+    }
+
     if (!shouldSync(localPath, false) && !shouldSync(localPath, true)) continue;
     // Ephemeral artifacts (conflict mirrors) never propagate-delete via the
-    // normal path — see EPHEMERAL_PATH_PATTERN doc.
+    // normal path — see EPHEMERAL_PATH_PATTERN doc. NOTE: this is a no-op
+    // post-litter-drain above — any key matching EPHEMERAL_PATH_PATTERN was
+    // already routed to `litterToDelete`. Retained as defense-in-depth +
+    // documentation of the policy-side intent.
     if (isEphemeralPath(relativeKey)) continue;
 
     if (policy === "all") {
@@ -1907,6 +1993,12 @@ async function computeDeletePlan(
       ratio: bulkCandidatePicks / inScopeJournalEntries,
       samplePaths,
     };
+    // Litter still drains even when the breaker trips — see `litterToDelete`
+    // declaration. The breaker protects against corrupt-mirror mass-deletes
+    // of user content; litter cleanup is orthogonal and should never be
+    // refused for the same reason new-litter producer-side exclusions
+    // shouldn't block it.
+    plan.toDelete.push(...litterToDelete);
     return plan;
   }
 
@@ -1944,6 +2036,13 @@ async function computeDeletePlan(
     }
   }
 
+  // Litter drains alongside the normal candidates — bypasses every gate but
+  // settles into the same plan.toDelete bucket so the share() executor's
+  // delete loop tombstones each key identically (DeleteObject + remove from
+  // journal). Merged at the end so the bulk-asymmetry breaker above had its
+  // chance to NOT include litter in either the numerator or the sweep.
+  plan.toDelete.push(...litterToDelete);
+
   return plan;
 }